Skip to content
  • There are no suggestions because the search field is empty.

How to throttling VLC traffic to Local Collector (Log Decoder) when limited bandwidth is an issue in RSA Security Analytics 10.x and NetWitness Platform

Issue

There are some scenarios where limited bandwidth between VLC (remotely using VPN or small bandwidth) and LC that can be resolved by using a script that RSA provides to throttle traffic.  This script is located on the VLC and is called set-shovel-transfer-limit.sh

Tasks

The script is located on /opt/netwitness/bin/set-shovel-transfer-limit.sh on the VLC.

Running the script without any usage will print out usage as seen below: 

Usage: ./set-shovel-transfer-limit.sh -s|-c|-d|-m [-i interface] [-p port] [-r rate]

where:

      -c = clear existing
         ex.   tc qdisc del dev eth0 root
               iptables --flush OUTPUT --table mangle

      -d = display filter
         ex.   iptables -t mangle -n -v -L
               tc -s -d class show dev eth0

      -m = monitor filter
         ex.  watch tc -s -d class show dev eth0

      -s = set new values

          interface is the name of the network interface. default=eth0
          port is the port number for rabbit shovel.  default=5671
          rate is the bandwidth rate. default=256kbps
          Bandwidths or rates can be specified in:
            kbps = Kilobytes per second
            mbps = Megabytes per second
            kbit = Kilobits per second
            mbit = Megabits per second
            bps  = Bytes per second
            "nolimit" disables

Resolution

This syntax example demonstrates limiting bandwidth between VLC and the Local Collector (Log Decoder) to 512kbps, noting that the commands are run as root from the command line on the VLC:

#/opt/netwitness/bin/set-shovel-transfer-limit.sh  -s -r 512kbps

Stats can be seen by running the following command:

#/opt/netwitness/bin/set-shovel-transfer-limit.sh -m watch tc -s -d class show dev eth0


Product Details

RSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.4, 10.5, 10.6, 11.x
Platform: CentOS
O/S Version: EL6, EL7

Summary

This article describes how to throttle VLC/RC traffic using iptables and tc (traffic control).


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue